Introduction to Cybersecurity & Information Assurance for FQHCs April 13, 2011 Amelia Muccio Director of Emergency Management amuccio@njpca.org Objectives • • • • • • • • Cybersecurity Information assurance FQHCs as target Cyber threats/risks Vulnerabilities Countermeasures Safeguarding Promoting a culture of security . Serious Threat • Richard Clarke was famously heard to say, "If you spend more on coffee than on IT security, then you will be hacked. What's more, you deserve to be hacked.” • The growing number of attacks on our cyber networks has become, in President Obama’s words, “one of the most serious economic and national security threats our nation faces.” Who & What is At Risk? • • • • • • • • • Economy . Defense Transportation Medical Government Telecommunications Energy Sector Critical Infrastructure Computers/Cable TV/Phones/MP3/Games Fundamental Concepts of Information Assurance • • • • Confidentiality (privacy) Integrity (quality, accuracy, relevance) Availability (accessibility) CIA triad Internet • In 1995, 16 million users (0.4%) • In 2010, 1.6 billion users (23.5%) • Unable to treat physical and cyber security separately, they are intertwined. How Does an Attack Happen? • • • • Identify the target Gather information Plan/Prepare the attack Attack Information Gathering . . Attack Trends • • • • • Increasing sophistication Decreasing costs Increasing attack frequency Difficulties in patching systems Increasing network connections, dependencies, and trust relationships What Threatens Information? • • • • • • • • • Misuse Disasters Data interception Computer theft Identify/Password theft Malicious software Data theft/corruption Vandalism Human error Threats • A threat is any potential danger to information and systems • 3 levels of cyber threats • Unstructured • Structured • Highly structured Unstructured Threats • Individual/small group with little or no organization or funding • Easily detectable information gathering • Exploitations based upon documented flaws • Targets of opportunity • Gain control of machines • Motivated by bragging rights, thrills, access to resources Structured Threats • Well organized, planned and funded • Specific targets and extensive information gathering to choose avenue and means of attack • Goal-data stored on machines or machines themselves • Exploitation may rely on insider help of unknown flaw • Target drives attack • Organized crime/black hat hackers Highly Structured Threats • Extensive organization, funding and planning over an extended time, with goal of having an effect beyond the data or machine being attacked • Stealthy information gathering • Multiple attacks exploiting unknown flaws or insider help • Coordinated efforts from multiple groups • “Cyber warfare” Web as Weapon • • • • • • • • • Infrastructure run by computers Government SCADA system Overflow dam, disrupt oil supply Sewage plant in Australia overflowed due to black hat hackers Cyberterrorism (Bin Laden and Aum Shinrikyo) Combined attack Cause power outage and biological attack EMS disruption and nuclear emergency Next war fought with code & computers Hackers and Crackers • White hat hacker-curious, explore our own vulnerabilities, bragging rights/just did it. • Black hat hacker/cracker-malicious intent, exploit vulnerabilities for monetary profit or gain or perpetrate a crime, organized crime. • Gray hat hacker-helpful or ethical hacker, motivated by a sense of good. Cowboys. • GHHs find vulnerabilities, notify company of them so they can be fixed and resolved. Gray Hats • Adrian Lamo • Find vulnerabilities, inform company • WorldCom, Google, NYTimes, Bank of America, NASA • NYTimes used SSN # as passwords • Edited Yahoo Story • Robert Lyttle • DoD, Pentagon • Both got into trouble! Early Days…Phone Phreaking • • • • • 2600 Hz Tone Captain Crunch Whistle & 4th E above Middle C Long whistle reset line, then dial w/whistle Tricked phone companies/tone dialing Free long distance and international calls Risk • Threat + Vulnerability • Likelihood of an undesirable event occurring combined with the magnitude of its impact? • Natural • Manmade • Accidental or Intentional • People are the weakest link Risk Management • Identifying and assessing risk, reducing it to an acceptable level and implementing mechanisms to maintain that level • Protect against: • Physical damage • Human error • Hardware failure • Program error • Cyber attack Risk Handling Discussion • • • • • Risk reduction (countermeasures, HVA) Risk transference (insurance) Risk acceptance (may happen) Risk rejection (do nothing) Security assessments are an important part of risk management • Penetration testing • Identify all vulnerabilities and threats to information, systems and networks Contingency Planning Components • • • • How to handle disruption? Business continuity Disaster recovery Incident response Recovery Strategy • A recovery strategy provides direction to restore IT operations quickly and effectively • Backup methods • Alternate sites • Equipment replacement • Roles and responsibilities • Cost considerations BCP • A comprehensive written plan to maintain or resume business operations in the event of a disruption • Continue critical business operations • Jeopardize normal operations • Most critical operations • May require alternate sites (hot, warm, cold) • What do we need to KEEP going? DRP • A comprehensive written plan to return business operations to the pre-disruption state following a disruption • Restore IT functions (prep and restore) • Jeopardize the normal operations • Includes all operations • RETURN TO NORMAL BUSINESS OPERATIONS • WHAT DO WE NEED TO DO IN CASE OF A DISASTER? Plan Testing, Training and Exercising • Testing is a critical to ensure a viable contingency capability • Conduct plan exercises • TTXs are useful Policies and Procedures • Establish security culture • Establish best security practices • Define goals and structure of security program • Educate personnel • Maintain compliance with any regulations • Ex: email policy, Internet usage, physical security Physical Security Countermeasures • • • • • Property protection (door, locks, lightening) Structural hardening (construction) Physical access control (authorized users) Intrusion detection (guards, monitoring) Physical security procedures (escort visitors, logs) • Contingency plans (generators, off site storage) • Physical security awareness training (training for suspicious activities) Personal Security • Practices established . to ensure the safety and security of personnel and other organizational assets • It’s ALL about people • People are the weakest link • Reduce vulnerability to personnel based threats Personal Security Threat Categories • Insider threats-most common, difficult to recognize • Includes sabotage and unauthorized disclosure of information • Social engineering-multiple techniques are used to gain information from authorized employees and using that info in conjunction with an attack • Not aware of the value of information Social Engineering • Being fooled into giving someone access when the person has no business having the information. Dumpster Diving and Phishing • DD-rummaging through company’s garbage for discarded documents • Phishing-usually takes place through fraudulent emails requesting users to disclose personal or financial information • Email appear to come from a legitimate organization (PayPal) P&P • Acceptable use policy-what actions users may perform while using computers • Personnel controls-need to know, separation of duties • Hiring and termination practicesbackground checks, orientation, exit interview, escorting procedure Private Branch Exchange (PBX) Systems • • • • • Toll fraud Disclosure of information Unauthorized access Traffic analysis Denial of Service (DoS) PBX Threat Countermeasures • • • • • Implement physical security Inhibit maintenance of port access Enable alarm/audit trails Remove all default passwords Review the configuration of your PBX against known hacking techniques Data Networks • For computers to communicate • Less expensive to use same network • Modems designed to leverage this asset Modem Threats • Unauthorized and misconfigured modems • Authorized but misconfigured modems Wardialing • Hackers use a program that calls a range of telephone numbers until it connects to an unsecured modem and allows them dialup access • Identify potential targets Modem Threat Countermeasures • • • • • • Policy Scanning Administrative action Passwords Elimination of modem connections Use a device to protect telephony-based attacks and abuses Voice Over Internet Protocol (VoIP) • VoIP is a technology that allows someone to make voice calls using a broadband Internet connection instead of a regular (analog) phone line VoIP Benefits and Threats • • • • • • • Less expensive Increased functionality Flexibility and mobility Service theft Eavesdropping Vishing Call tampering VoIP Threat Countermeasures • • • • Physical control Authentication and encryption Develop appropriate network architecture Employ VoIP firewall and security devices Data Networks • • • • Computers linked together Hosts (computers, servers) Switches and hubs Routers Common Network Terms • Local Area Network (LAN)-network grouped in one geographic location • Wide Area Network (WAN)-network that spreads over a larger geographic area • Wireless LAN (WLAN)-is a LAN with wireless connections Data Network Protocols • Transmission Control Protocol (TCP)-moves data across networks with a connection oriented approach • User Datagram Protocol (UDP)-moves info across networks with a connectionless oriented approach • Internet Control Message Protocol (ICMP)-OS to send error messages across networks • Hypertext Transfer Protocol (HTTP)-transfers web pages, hypermedia Data Network Threats • • • • • Information gathering Denial of Service (DoS) Disinformation Man-in-the-middle Session hijacking Information Gathering Threats/Network Scanning • What target is available? • Reduces time on wasted effort (attacker) • One of the most common pre-attack identification techniques is called scanning • Scanning uses ICMP service “PING” • PING SWEEP-echo request to range of addresses (provides list of potential targets) • Are you there? Yes, I am there. • Firewall should protect against Sniffing • A sniffer is a program that monitors and analyzes network traffic and is used legitimately or illegitimately to capture data transmitted on a network Denial of Service (DoS) • Degrade and prevent operations/functionality • Distributed denial of service (DDoS) attack uses multiple attack machines simultaneously • Vast number of ICMP echo request packets are sent to the target, overwhelming its capability to process all other traffic Ping Flood/Ping of Death • Ping flood-too much ping traffic drowns out all other communication • Ping of Death-oversized or malformed ICMP packets cause target to reboot or crash • Host cannot cope with ping packets • Ping of Death relies on a vulnerability of buffer overflow • Buffer overflow-size of input exceeds the size of storage intended to be received Smurf Attack (Ping Flood) • Large stream of spoofed Ping packets sent to a broadcast address • Source address listed as the target’s IP address (spoofed) • Broadcast host relays request to all hosts on network • Hosts reply to victim with Ping responses • If multiple requests sent to broadcast host, target gets overloaded with replies DDOS with Zombies/Botnet • Zombies-infected computers • Botnet-bunch of infected computers (same time)massive traffic • DDoS attack where a multitude of compromised systems attack a single target • Flood of incoming messages to target system and force a shut down • Google was target Man-In-The-Middle Attacks • Instead of shutting down target networks, attackers may want access • Access information between authorizes parties and observes it • Uses a sniffer and gains information • Digital wiretapping • Types of attacks • Eavesdropping • Session hijacking Network Attack Countermeasures • • • • • • Countering the threats Scans/Sniffing/Ping sweeps DoS/DDoS Smurf attack Session hijacking Eavesdropping Ways to Recognize Scanning • • • • System log file analysis Network traffic Firewall and router logs Intrusion Detection Systems (IDSs) – NIDS “Snort” or HIDS “OSSEC” • Recognize as soon as possible • Perform regular monitoring Defending Against Scanning-Use More than 1 • • • • • Block ports at routers and firewalls Block ICMP, including echo Segment your network properly Hide private, internal IP addresses Change default account settings and remove or disable unnecessary services • Restrict permissions • Keep applications and operating systems patched Sniffing Countermeasures • • • • Strong physical security Proper network segmentation Communication encryption To guard against sniffing, make sure attacker cannot access a legitimate communication stream DoS and DDoS Countermeasures • • • • • • • • Stop the attack before it happens Block “marching orders” Patch systems Implement IDS Harden TCP/IP Avoid putting “all eggs in 1 basket” Adjust state limits Keep us from being targeted and lock down assets Snort (Network IDS) • Snort’s open source network-based intrusion detection system has the ability to perform realtime traffic analysis and packet logging on Internet Protocol (IP) networks. • Snort performs protocol analysis, content searching, and content matching. • The program can also be used to detect probes or attacks, including, but not limited to, operating system fingerprinting attempts, common gateway interface, buffer overflows, server message block probes, and stealth port scans. • FREE Other Countermeasures • Encrypted session negotiation (ensure handshake process) • Repeating credential verification during the session (kick out hijackers) • Partitions • User training (all personnel can understand security) Defense-In-Depth • Defense-in-depth is an information assurance (IA) strategy in which multiple layers of defense are placed throughout an information technology (IT) system. • It addresses security vulnerabilities in personnel, technology and operations for the duration of the system's life cycle. Perimeter Defense Countermeasures • • • • • • • • Router security Demilitarized Zone Bastion host Firewalls Intrusion Detection Systems Intrusion Prevention Systems Virtual Private Network (Defensive technologies) Routers • First line of perimeter defense • Connects external environment to internal network • Securely configured • Audit regularly • Keep patched and updated DMZ • Machine or machines accessible by the Internet, but not located on the internal network or the Internet • Web server • Email server • Should not contain much valuable data • IDS sensor to detect malicious traffic Bastion Host “Harden/Locked Down” • • • • • • • • • Highly exposed to attacks in DMZ Web server Email server Locked down/hardened system Unnecessary services disabled No unnecessary applications Fully patched Unnecessary ports closed Unnecessary accounts disabled Firewalls • Control connections from one network (or portion of network) to another (restrict Internet access) • Enforce security policy • Hardware or software • Firewalls DO NOT monitor connections not passing directly through it—not a magic bullet • Even perfectly configured is still vulnerable • Packet filtering • Proxies • Stateful inspection Intrusion Detection System (IDS) • Detects suspicious activity • Alerts upon discovery of possible compromise attempts • Compromised of several components • Sensors • Analyzers • Administrator interfaces • IDS can search for attacks, terminate connections, send real time alerts, protect system files, expose hacking techniques, illustrate vulnerabilities and even assist in tracking down hackers Common Types of IDS • Host based-mail server, web server or individual PC • Network based-network itself, Virtual Private Networks (VPN) • A secure, private data connection through a non-secure public network • Often through the Internet • Uses encryption and tunneling protocols Wireless Technology • Allows communication between multiple systems/devices without physical connection • Much less expensive than wired solutions • WLAN . Wireless Threats and Countermeasures • • • • • • • Access point mapping Service Set Identifier (SSID) broadcasting Default SSID Radio frequency management Default settings Authentication Bluetooth security Access Point Mapping • WLAN version of . wardialing • An AP is a device connecting a wired network to wireless devices using radio frequency • Software (net stumbler, air snort, void11) • Warchalking (available access points) Service Set Identifier (SSID) Broadcasting • “Beaconing”-this is the continuous announcement by a Wi-Fi access point that it is available. • SSID is name assigned to the wireless connection • Default SSIDs poses a security risk even if the AP is not broadcasting b/c default names are widely known Radio Frequency Management • The signal should die out before it reaches the physical boundaries of the property • This helps unauthorized users from driving by and intercepting confidential wireless signals Default Settings • Many access points arrive with no security mechanism in place • Changing the default settings before deployment should be a matter of organizational practice Authentication Issues • Open system-SSID, subject to sniffing • Shared key-SSID plus WEP encrypted key required, subject to man-in-the middle attacks • Many wireless networks do not contain adequate authentication mechanisms • Both Open and Shared are considered weak Authentication Issues • WEP standard proven insufficient • Replaced with Wi-Fi Protected Access (WPA) • WPA demonstrates its own weaknesses • Replaced by WPA2 which is viewed as more secure . Bluetooth Security • Popular short-range technology • Used for many personal electronic devices including phones, music players, etc. Threats • Bluejacking-sending unsolicited messages to Bluetooth devices • Bluesnarfing-unauthorized access of information from a wireless device through a Bluetooth connection • Bluebugging-unauthorized control of Bluetooth assets Operating System • A program that acts as an intermediary between a computer user and the computer hardware • “GUI” Graphical User Interface • Process management • Main memory management • File management • I/O system management • Secondary storage management • Network management • Protection system management • User interface management Operating System Security • Confidentiality: only let authorized entities access computer and information • Integrity: only allow authorized changes to information • Availability: manage resources to permit access to information and system at all required times Authorization and Authentication • WHO IS AUTHORIZED? • Authorized by policy of organization and operational requirements • HOW DO WE KNOW? • Accounts (identification) • Known systems • Passwords • Secure communication channel Access Control • Verifying the identity of entities before granting access and restricting access • Controls how users and systems communicate and interact with other systems and resources • First line of defense • Authenticate before allowing access to authorized resources • Policies, locks, passwords • Social media policies?? Auditing • A trail to follow • Creation of logs • A log is a record of events or activities that occur • Detectable events • Collect and save in secure information • Analyze results . Threats to OS • The basic problem with OS and computers is that a system allows unauthorized users to compromise the system to gain unauthorized access to system resources • Weak/Broken identification • Weak internal security structures • Programming errors in operating system Once Identified, Authorize • User accounts are the mechanism used to identify and authorize people • Access control is based on identification • Most common authentication is a password • Password and account policies help improve security Implementing Policies • The whole access control process is driven by policies and procedures • One part of the implementation is policies is to implement a password policy that makes it less likely that an attacker can break into computer systems by compromising a password Password Policy • What makes a good . password policy? • New password • Reuse of old passwords • Length of validity • When can it be changed • Minimum length of password • Complexity requirements • Should password be stored Specific OS Attacks • Dos: attack on availability, consume resources • Hack: exploit a vulnerability to gain unauthorized access to the system • Backdoor: An access method that bypasses the normal security of the system • Memory issues: Memory is not erased before given to another program • Escalation of privileges: user exploits vulnerability to gain unauthorized access • Default settings: most OS ship with simplest configuration, security disabled Securing Systems • Perform system hardening • Find out what vulnerabilities are still present • Fix them Countermeasures: DoS • Set network and host firewall filters for known bad traffic • Apply OS patches for know vulnerabilities • Limit time and resources to processes • Monitor for threat activity on the network and host using IDS • “Detect and block” Countermeasures: Hack the System • Use account and password policies • Change default accounts, settings, passwords • Use restricted accounts for services • Apply OS patches for known vulnerabilities • Turn off unnecessary services • Watch for social engineering Countermeasures: Backdoor • • • • • Backdoors are installed by the developer Disable any unnecessary default accounts Apply OS patches for known vulnerabilities Scan system periodically Monitor system Countermeasures: Memory Issues • Memory management is an issues that has a severe impact on performance • Apply OS patches for known vulnerabilities • Turn on security features • Reclaim memory on process termination Countermeasures: Escalation of Privileges • Apply OS patches for known vulnerabilities • Monitor system • Establish restricted accounts for services (don’t run everything as administrator) Countermeasures: Default Settings • • • • Disable unnecessary accounts and services Apply OS patches for known vulnerabilities Follow lockdown procedures when possible Monitor the system Common Application Security Threats • Unauthorized access to applications: first line of defense is access control • Cross-Site Scripting: browser allows code injection • SQL injection: inserts independent queries into a database • Buffer flow: input from a user exceeds the length or other characteristics of an expected input • Arbitrary code execution: one of the common methods used by attackers to execute commands to take over or crash the targeted machine Unauthorized Access Countermeasures • Determines what object can access application • Can be implemented based on users, permissions, and folder structures • UserID and password • Honeypot is a trap set to detect, deflect, or in some manner counteract attempts at unauthorized use of information systems. XSS Countermeasures • • • • • • • • • Vulnerability in web applications Web server owner should: Keep web server updated Scan for XSS vulnerabilities Configure applications and servers properly User should: Keep web browser updated Practice safe web surfing Attend awareness training SQL Injection Countermeasures • Database vulnerability (credit card info/patient information) • Input validation • Manual code review • Least privilege • When not required, disable privileges to stored procedures, tables, etc. • Limit execution privileges to SELECT, UPDATE, DELETE and user-stored procedures Buffer Overflow Countermeasures • Software vulnerability and programming (C and C++) • Stack buffer overflow “Morris Worm” • Write secure code • Use compiler tools to detect unsafe instruction sets in application • Have a limited number of processes running • Keep your application updated with latest patches from software vendor • Control privilege Arbitrary Code Execution Countermeasures • • • • • Software bug Install latest updates and Service Packs Disable scripting and ActiveX (Drive by) Configure application securely Use alternate, safer applications Drive by Download • Drive by Download is an unintended download of computer software from the Internet: 1. Downloads which a person authorized but without understanding the consequences (e.g. downloads which install an unknown or counterfeit executable program, ActiveX component, or Java applet). 2. Any download that happens without a person's knowledge. 3. Download of spyware, a computer virus or any kind of malware that happens without a person's knowledge. Personal Information Threats • Unauthorized access to personal information • Loss of personal information • Unauthorized disclosure of personal information • Spoofing • Malicious software (Malware) Unauthorized Access to Personal Information • Commonly done by cracking user passwords • Recovering passwords from data that has been stored in or transmitted by a computer system • Password cracking methods • Dictionary • Hybrid • Brute force (every password WILL be cracked) Password Cracking (1-11) • • • • • • • • • • • andy helen2008 Computer Jonas_Puente marykay htimsnosaj b1@nc@&l33 cold*beer 020973 n1h0nj1n *pdbmc12 Loss of Personal Information • • • • • • Human error, 32% Software corruption, 25% Virus attack (malware), 22% Hardware failure, 13% Sabotage, 6% Natural disasters, 2% Spoofing • A situation in which a person/program successfully masquerades as another by presenting false information. Malicious Software (Malware) • Designed to damage/disrupt a system without the owner’s consent. • Software that gets installed on your system and performs unwanted tasks. • Pop ups to virus deployment. Virus • Individual programs that propagate by first infecting executable files or the system and then makes copies of itself. • Can operate without your knowledge (visit website, you open attachment). • WE OPEN IT Worm • Designed to replicate and spread from computer to computer (attach to file and run on their own) • WE DON’T HAVE TO OPEN IT Trojan Horse • Designed and written like normal programs but have hidden code that can compromise your system from remote user/computer. Logic/Time Bomb • Program that lies dormant until it is activated by something (date, message). Spyware • Computer software that gathers information about a computer user and transmits it without your knowledge (benign or malignant, websites or credit card information). Adware • Advertising supported software in which advertisements are displayed while the program is running. Malware Goals • Malicious code threatens three primary security goals: • Confidentiality: Programs like spyware can capture sensitive data while it is being created and pass it on to an outside source. • Availability: Many viruses are designed to modify operating system and program files, leading to computer crashes. Internet worms have spread so widely and so quickly that they have overloaded Internet connections and email systems, leading to effective denial-of-service attacks. • Integrity: Protecting information from unauthorized or inadvertent modification. For example, without integrity, your account information could be changed by someone else. Personal Information Security Countermeasures • • • • • Password policies Backup Cryptography Spoofing countermeasures Malware detection and prevention Password Policies • History- 10 passwords • • Max age- 120 days • Min age- 5 days or 0 for shoulder surfing • • Min length- 15 characters (at least 8) • Complexity- enabled • Combo of upper & lower case & special character & number • La2!xxxx • No dictionary words/patterns • No easily obtainable information No birthdays, pet names, fictional character, proper noun, etc Use of mnemonics Backup • Copying files to a second medium for later retrieval as a precaution in case the first medium fails • Perform frequently • Keep in a separate location • 93% of companies that lost their data center for 10 days or more due to a disaster filed for bankruptcy within one year of the disaster • 50% of businesses that found themselves without data management for this same period filed for bankruptcy immediately Spoofing Countermeasures • Practice safe email usage and web surfing • Attend security awareness training Malware Countermeasures • Only run software you can trust • Install antivirus software • Scan file attachments with antivirus software before opening • Verify critical file integrity • BACKUP Electronic Health/Medical Records • An electronic health record (EHR) is an evolving concept defined as a systematic collection of electronic health information about individual patients or populations • It is a record in digital format that is capable of being shared across different health care settings, by being embedded in network-connected enterprise-wide information systems • Such records may include a whole range of data in comprehensive or summary form, including demographics, medical history, medication and allergies, immunization status, laboratory test results, radiology images, vital signs, personal stats like age and weight, and billing information Health Insurance Portability and Accountability Act of 1996 (HIPAA) • The Office for Civil Rights enforces the HIPAA Privacy Rule, which protects the privacy of individually identifiable health information; the HIPAA Security Rule, which sets national standards for the security of electronic protected health information; and the confidentiality provisions of the Patient Safety Rule, which protect identifiable information being used to analyze patient safety events and improve patient safety. EHR • Advantages • Reduction of cost • Improve quality of care • Promote evidencebased medicine • Record keeping and mobility • Disadvantages • Costs • Time . Are EHRs Vulnerable? YES! • Vulnerabilities discovered, reported to eHealth vendor and then patched • Patches take A LOT of time to fix • 2,211 days (vendor) vs. 284 days (Microsoft) • No one eHealth vendor in charge Possible Issues • Unauthorized users can compromise integrity and confidentiality • Unauthorized access to computer networks • Password protection (hacks and policies) • Subversive software (malware) • Disaster Privacy and Security Issues • • • • Data breaches Theft Lost devices Social networking Personally Identifiable Information (PII) • Information that permits the identity of an individual to be inferred directly or indirectly • PII includes any information that is linked or linkable to that individual, regardless of whether the individual is a U.S. citizen, a legal permanent resident, or a visitor to the United States • Apply the "need to know" principle before disclosing PII to other personnel • Challenge the need for the requested PII before sharing • Consider PII materials for official use only • Limit the collection of PII for authorized purposes only Examples of PII • • • • • • • • • Name Date of birth Biometrics Mailing address Phone # Email address Zip code Account numbers License information • • • • Social Security # Place of birth License plate Photos Sensitive Data • • • • • • • Confidentiality of patient records Mental health Sexual health Drug/alcohol Minors Intimate partner violence/sexual violence Genetic information Privacy and Security of EHR • Security program components and regulatory requirements (HITECH, HIPAA, Breach Notification Laws, State Laws) • Risk assessment and mitigation plans • Security program evaluation • Privacy and security awareness training for all staff • Disclosure logs Privacy and Security • Security audit programs will be under the purview of the OCR (Office of Civil Rights) which is expected to begin with existing programs in 2011. • CIA Triad Data Segmentation • • • • • • Structured data fields Common data definitions Data entry Locating data Technology and codes Building intelligence Safeguarding PII • Store sensitive information in a room or area that has access control measures to prevent unauthorized access by visitors or members of the public (e.g., locked desk drawers, offices, and file cabinets) • Never email sensitive information to unauthorized individuals. • Never leave sensitive information on community printers • Take precautions to avoid the loss or theft of computer devices and removable storage media • Destroy all sensitive information by appropriate methods (paper shredder) when it is no longer needed • Notify your immediate supervisor if you suspect or confirm that a privacy incident has occurred Security Vulnerabilities and Countermeasures • Safeguard data • Monitor control on key systems and check inadequate logging • Protect access control • Data encryption • Privacy awareness training • Create strong vendor management • Develop business continuity and incident response plans Security and Assurance Program • Protective measures to address potential cyber security threats include: • Firewalls and virus protection systems • Password procedures • Information encryption software • Computer access control systems • Computer security staff background checks (at initial hire and periodically) • Computer security staff training & 24/7 on-call technical support • Computer system recovery and restoration plans • Intrusion detection systems • Redundant & backup systems, & offsite backup data storage In Summary… • • • • • • • Identify vulnerabilities Human error is biggest threat Fix vulnerabilities (patches, etc.) Have policies and procedures Computer maintenance program Educate staff Stay informed of latest and greatest References • Voice & Data Security: An Introduction to Information Assurance (FEMA/DHS) • IS 906: Workplace Security Awareness (FEMA) • EHR PPT, Nina Robinson, NJPCA